15:00:48 <gagehugo> #startmeeting security 15:00:49 <openstack> Meeting started Thu Dec 13 15:00:48 2018 UTC and is due to finish in 60 minutes. The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:00:50 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:00:53 <openstack> The meeting name has been set to 'security' 15:02:05 <gagehugo> ping eeiden fungi gagehugo lhinds nickthetait browne redrobot 15:02:21 <nickthetait> hey 15:02:28 <redrobot> o/ but only kinda... also in a conference call :-\ 15:02:48 <gagehugo> nickthetait redrobot: o/ 15:03:32 <gagehugo> #link https://etherpad.openstack.org/p/security-agenda 15:03:56 <gagehugo> nothing really on the agenda afaik for this week 15:04:03 <gagehugo> do you guys have anything? 15:04:39 <Luzi> o/ 15:05:28 <gagehugo> Luzi o/ 15:07:05 <Luzi> there has been some confusion for me about, what projects you all represent in here? 15:07:11 <fungi> there was one concern raised on a security hardening bug about interest in an ossn 15:07:24 <fungi> Luzi: we represent openstack 15:07:37 <fungi> though we have backgrounds individually in lots of different pieces 15:08:16 <Luzi> fungi, i mean the backgrounds, in which openstack projects you are somehow active 15:08:53 <fungi> i personally am on the technical committee, vulnerability management team, opendev/infra team and on the osf staff, among other hats 15:09:40 <gagehugo> I'm mostly active with keystone and the vulnerability management team 15:10:10 <gagehugo> fungi: that was the bug from april right? 15:10:44 <fungi> no, getting the link 15:10:52 <fungi> #link https://launchpad.net/bugs/1795800 Username enumeration via response timing difference 15:10:54 <openstack> Launchpad bug 1795800 in OpenStack Identity (keystone) "Username enumeration via response timing difference" [Wishlist,Triaged] 15:10:58 <nickthetait> for me, still pretty new. Contributed to some OSSNs and reviewing a few proposals that would have security impact. 15:10:59 <gagehugo> ty 15:11:14 <fungi> the reportter seems to be interested in more widely communicating that particular username enumeration oracle 15:11:14 <gagehugo> oh that one 15:12:53 <fungi> nickthetait: you worked/work on the bandit code security analyzer too, right? 15:13:14 <gagehugo> hmm I wonder with the flask rework if that would be easier to fix 15:13:18 <nickthetait> yup 15:14:08 <fungi> Luzi: so anyway, a fairly diverse crowd, at least today 15:14:15 <fungi> and you're with secustack, i gather? 15:16:30 <fungi> and redrobot (who said he's "only kinda" around) is a core reviewer on barbican 15:16:45 <Luzi> fungi: yes, we have looked into a few different openstack projects like so far 15:16:55 <fungi> and lhinds sometimes joins us, a long-time contributor to the openstack security guide 15:18:05 <Luzi> fungi, nice to know 15:21:05 <nickthetait> quick (non-security) question: was there a proposal to change the length of releases? Don't remember where I heard this 15:22:05 <fungi> nickthetait: it's come up off and on over the years. most recent discussion last year looked at options anywhere from quarterly to annually and concluded that semi-annual was still a good compromise for now 15:22:27 <nickthetait> okay thx 15:23:00 <fungi> a lot of that tied into the long-term-stable/extended-maintenance discussions as well as the skip-level/fast-forward upgrades discussions 15:23:57 <fungi> i think once em and ffu get a little more entrenched it might be easier to shift our release cadence in the future 15:25:47 <fungi> Luzi: anyway, as i mentioned on that recent openstack-discuss mailing list thread, people with a variety of backgrounds and involvement in various bits of openstack, but as a result we're also all pulled in lot of different directions, and we'd welcome involvement from people with backgrounds in some of the other popular components of openstack. particularly the ones i which you're trying to get a 15:25:48 <fungi> foothold with the encrypted images specs 15:26:23 <fungi> (cinder, glance, nova...) 15:26:54 <fungi> (...oslo...) 15:27:25 <Luzi> i just wanted to update my knowledge so far :) it's good to know, with whom you are talking and what background they have 15:30:40 <nickthetait> welcome to the security SIG luzi! 15:30:54 <Luzi> nickthetait, thank you 15:31:58 <fungi> i tend to be particularly spotty with my input in these meetings because they overlap with the busiest technical committee office hour slot of the week 15:32:15 <fungi> so my apologies 15:32:44 <Luzi> fungi, no problem - i know what overlapping meetings look like :) 15:34:27 <gagehugo> double meetings 15:34:50 <gagehugo> does anyone have anything else they want to discuss this week? 15:35:09 <gagehugo> fungi: I can take a look at that bug 15:35:21 <fungi> thanks gagehugo 15:35:30 <nickthetait> no big news from me 15:35:33 <gagehugo> I may need to find a lower power device to test it on though 15:36:28 <fungi> and no, i didn't have anything especially exciting to bring up. i guess there's the ml thread on which the slow pace of moving the encrypted images work forward is progressing, and finding ways to better publicize/endorse the benefits of the feature Luzi and colleagues are designing 15:37:49 <fungi> thread starts at: 15:37:58 <fungi> #link http://lists.openstack.org/pipermail/openstack-discuss/2018-December/000464.html [all]Forum summary: Expose SIGs and WGs 15:38:39 <gagehugo> cross-project specs always move slowly it seems 15:40:27 <gagehugo> I thought I saw a temporary sig involving the projects get mentioned, not sure if that was in the email thread or tc chat 15:41:00 <fungi> described as an even more informal "pop-up team" concept 15:41:31 <fungi> basically the emergent behavior we tend to see when efforts like that (cinder/nova multi-attach for example) play out successfully 15:42:06 <fungi> a way of pointing out what worked well and recommending similar sorts of patterns of interaction 15:46:33 <nickthetait> interesting 15:51:01 <gagehugo> thanks for coming everyone, feel free to ping in openstack-security if there are any more questions 15:51:11 <gagehugo> #endmeeting